Group Policy Filtering

There are a number of different options in Group Policy that allows you to target Group Policy to particular users and computers. This video looks at WMI filters and security that can be applied to target Group Policy settings that you configure. The video also looks at how you can disable parts of Group Policy to speed up the processing on your clients.Download the PDF handout for this videoSorting by OU’sOne way of applying Group Policy is to sort the users and computers into different OU’s. A typical way of doing this is to separate the users and computers into physical locations, departments and operating systems. The problem with this approach is that an administrator needs to sort these objects initially and when change occur. For example, if users change job titles and operating systems are upgraded. By using filters in Group Policy you can automate this process.DemonstrationAll the Group Policy filtering options are available from Group Policy Management Console. Once you select a Group Policy Object you can configure additional filtering options for it.User/Computer Configuring Enabling/DisablingIf you select the details tab, the option GPO status allows you to enable or disable the GPO as well as only have the user or computer configuration enabled. If you are only using one part of the configuration for the GPO, it is worth while disabling the other configuration. Disabling configuration like this will speed up the processing of the GPO on the client.Security FilteringOn the scope tab you can configure particular groups to be allowed the ability to apply the Group Policy object. Adding groups here effectively changes the permissions of the Group Policy Object giving that group access to apply the Group Policy. The same effect can be achieved by editing the security of the Group Policy Object directly, however Security Filtering does provide an easier interface if all you want to do is see who has the ability to apply the Group Policy or add or remove access.WMI FilterWindows Management Instrumentation (WMI) allows software to retrieve information about the client. For example, information about the operating system, hardware and software installed can be retrieved using WMI. Using WMI filters, you can target a Group Policy Object to particular characteristics of a computer. You can only assign one WMI filter per Group Policy Object, however you can make it as complex as you wish. Using WMI filters in your domain especially complex WMI filters this can slow down the time Group Policy takes to apply.To create a WMI query, Select WMI Filters in the left panel of Group Policy Management under your domain and paste in your WMI query. An example of a WMI query is listed below.Select * FROM Win32_OperatingSystem WHERE Caption=”Microsoft Windows XP Professional” AND CSDVersion=”Service Pack 3″Once you have a WMI query configured, you can assign one WMI filter to the Group Policy Object on the scope tab.A free WMI explorer. http://www.ks-soft.net/hostmon.eng/wmi/index.htmDelegationThe delegation tab effectively shows some of permissions of the Group Policy Object. In order for the Group Policy to be applied to a client it requires read and apply group policy permissions. To gain access the security properties press the advanced button. If you want to prevent the group policy for being applied, select the deny option for apply group policy. Deny permissions should only be applied when necessary. In most cases there is another solution which does not require deny permissions.References“MCTS 70-640 Configuring Windows Server 2008 Active Directory Second Edition” pg 285 – 291